| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f5c2f410-36da-41a0-8d61-ffdd88096513@broadcom.com>
Date: Thu, 6 Nov 2025 13:27:04 -0800
From: Florian Fainelli <florian.fainelli@...adcom.com>
To: Kuniyuki Iwashima <kuniyu@...gle.com>
Cc: netdev@...r.kernel.org, bcm-kernel-feedback-list@...adcom.com,
Doug Berger <opendmb@...il.com>, Andrew Lunn <andrew+netdev@...n.ch>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>, Stanislav Fomichev <sdf@...ichev.me>,
Antoine Tenart <atenart@...nel.org>, Yajun Deng <yajun.deng@...ux.dev>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH net-next v2 1/2] net: ethernet: Allow disabling pause on
panic
On 11/4/25 14:44, Kuniyuki Iwashima wrote:
> On Tue, Nov 4, 2025 at 2:13 PM Florian Fainelli
> <florian.fainelli@...adcom.com> wrote:
>>
>> Development devices on a lab network might be subject to kernel panics
>> and if they have pause frame generation enabled, once the kernel panics,
>> the Ethernet controller stops being serviced. This can create a flood of
>> pause frames that certain switches are unable to handle resulting a
>> completle paralysis of the network because they broadcast to other
>> stations on that same network segment.
>>
>> To accomodate for such situation introduce a
>> /sys/class/net/<device>/disable_pause_on_panic knob which will disable
>> Ethernet pause frame generation upon kernel panic.
>>
>> Note that device driver wishing to make use of that feature need to
>> implement ethtool_ops::set_pauseparam_panic to specifically deal with
>> that atomic context.
>>
>> Signed-off-by: Florian Fainelli <florian.fainelli@...adcom.com>
>> ---
>> Documentation/ABI/testing/sysfs-class-net | 16 +++++
>> include/linux/ethtool.h | 3 +
>> include/linux/netdevice.h | 1 +
>> net/core/net-sysfs.c | 34 ++++++++++
>> net/ethernet/Makefile | 3 +-
>> net/ethernet/pause_panic.c | 81 +++++++++++++++++++++++
>> 6 files changed, 137 insertions(+), 1 deletion(-)
>> create mode 100644 net/ethernet/pause_panic.c
>>
>> diff --git a/Documentation/ABI/testing/sysfs-class-net b/Documentation/ABI/testing/sysfs-class-net
>> index ebf21beba846..f762ce439203 100644
>> --- a/Documentation/ABI/testing/sysfs-class-net
>> +++ b/Documentation/ABI/testing/sysfs-class-net
>> @@ -352,3 +352,19 @@ Description:
>> 0 threaded mode disabled for this dev
>> 1 threaded mode enabled for this dev
>> == ==================================
>> +
>> +What: /sys/class/net/<iface>/disable_pause_on_panic
>> +Date: Nov 2025
>> +KernelVersion: 6.20
>> +Contact: netdev@...r.kernel.org
>> +Description:
>> + Boolean value to control whether to disable pause frame
>> + generation on panic. This is helpful in environments where
>> + the link partner may incorrect respond to pause frames (e.g.:
>> + improperly configured Ethernet switches)
>> +
>> + Possible values:
>> + == ==================================
>> + 0 threaded mode disabled for this dev
>> + 1 threaded mode enabled for this dev
>
> nit: These lines need to be updated.
>
>
>> + == ==================================
>> diff --git a/include/linux/ethtool.h b/include/linux/ethtool.h
>> index c2d8b4ec62eb..e014d0f2a5ac 100644
>> --- a/include/linux/ethtool.h
>> +++ b/include/linux/ethtool.h
>> @@ -956,6 +956,8 @@ struct kernel_ethtool_ts_info {
>> * @get_pauseparam: Report pause parameters
>> * @set_pauseparam: Set pause parameters. Returns a negative error code
>> * or zero.
>> + * @set_pauseparam_panic: Set pause parameters while in a panic context. This
>> + * call is not allowed to sleep. Returns a negative error code or zero.
>> * @self_test: Run specified self-tests
>> * @get_strings: Return a set of strings that describe the requested objects
>> * @set_phys_id: Identify the physical devices, e.g. by flashing an LED
>> @@ -1170,6 +1172,7 @@ struct ethtool_ops {
>> struct ethtool_pauseparam*);
>> int (*set_pauseparam)(struct net_device *,
>> struct ethtool_pauseparam*);
>> + void (*set_pauseparam_panic)(struct net_device *);
>> void (*self_test)(struct net_device *, struct ethtool_test *, u64 *);
>> void (*get_strings)(struct net_device *, u32 stringset, u8 *);
>> int (*set_phys_id)(struct net_device *, enum ethtool_phys_id_state);
>> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
>> index e808071dbb7d..2d4b07693745 100644
>> --- a/include/linux/netdevice.h
>> +++ b/include/linux/netdevice.h
>> @@ -2441,6 +2441,7 @@ struct net_device {
>> bool proto_down;
>> bool irq_affinity_auto;
>> bool rx_cpu_rmap_auto;
>> + bool disable_pause_on_panic;
>>
>> /* priv_flags_slow, ungrouped to save space */
>> unsigned long see_all_hwtstamp_requests:1;
>> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
>> index ca878525ad7c..c01dc3e200d8 100644
>> --- a/net/core/net-sysfs.c
>> +++ b/net/core/net-sysfs.c
>> @@ -770,6 +770,39 @@ static ssize_t threaded_store(struct device *dev,
>> }
>> static DEVICE_ATTR_RW(threaded);
>>
>> +static ssize_t disable_pause_on_panic_show(struct device *dev,
>> + struct device_attribute *attr,
>> + char *buf)
>> +{
>> + struct net_device *ndev = to_net_dev(dev);
>> + ssize_t ret = -EINVAL;
>> +
>> + rcu_read_lock();
>> + if (dev_isalive(ndev))
>> + ret = sysfs_emit(buf, fmt_dec, READ_ONCE(ndev->disable_pause_on_panic));
>> + rcu_read_unlock();
>> +
>> + return ret;
>> +}
>> +
>> +static int modify_disable_pause_on_panic(struct net_device *dev, unsigned long val)
>> +{
>> + if (val != 0 && val != 1)
>> + return -EINVAL;
>
> Should we validate !ops->set_pauseparam_panic here
> rather than disable_pause_on_device() ?
Yes we should certainly do it here to give an early warning to users
whether this will work or not. To keep things simple however, we would
still need to check set_pauseparam_panic in the panic handler, otherwise
we would have to construct a list of network devices that do support the
operation and use that.
>
> ops = dev->ethtool_ops;
> if (!ops || !ops->set_pauseparam_panic)
> return -EOPNOTSUPP;
>
>
>> +
>> + WRITE_ONCE(dev->disable_pause_on_panic, val);
>> +
>> + return 0;
>> +}
>> +
>> +static ssize_t disable_pause_on_panic_store(struct device *dev,
>> + struct device_attribute *attr,
>> + const char *buf, size_t len)
>> +{
>> + return netdev_store(dev, attr, buf, len, modify_disable_pause_on_panic);
>> +}
>> +static DEVICE_ATTR_RW(disable_pause_on_panic);
>> +
>> static struct attribute *net_class_attrs[] __ro_after_init = {
>> &dev_attr_netdev_group.attr,
>> &dev_attr_type.attr,
>> @@ -800,6 +833,7 @@ static struct attribute *net_class_attrs[] __ro_after_init = {
>> &dev_attr_carrier_up_count.attr,
>> &dev_attr_carrier_down_count.attr,
>> &dev_attr_threaded.attr,
>> + &dev_attr_disable_pause_on_panic.attr,
>> NULL,
>> };
>> ATTRIBUTE_GROUPS(net_class);
>> diff --git a/net/ethernet/Makefile b/net/ethernet/Makefile
>> index e03eff94e0db..9b1f3ff8695a 100644
>> --- a/net/ethernet/Makefile
>> +++ b/net/ethernet/Makefile
>> @@ -3,4 +3,5 @@
>> # Makefile for the Linux Ethernet layer.
>> #
>>
>> -obj-y += eth.o
>> +obj-y += eth.o \
>> + pause_panic.o
>> diff --git a/net/ethernet/pause_panic.c b/net/ethernet/pause_panic.c
>> new file mode 100644
>> index 000000000000..8ef61eb768a0
>> --- /dev/null
>> +++ b/net/ethernet/pause_panic.c
>> @@ -0,0 +1,81 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/*
>> + * Ethernet pause disable on panic handler
>> + *
>> + * This module provides per-device control via sysfs to disable Ethernet flow
>> + * control (pause frames) on individual Ethernet devices when the kernel panics.
>> + * Each device can be configured via /sys/class/net/<device>/disable_pause_on_panic.
>> + */
>> +
>> +#include <linux/kernel.h>
>> +#include <linux/init.h>
>> +#include <linux/panic_notifier.h>
>> +#include <linux/netdevice.h>
>> +#include <linux/ethtool.h>
>> +#include <linux/notifier.h>
>> +#include <linux/if_ether.h>
>> +#include <net/net_namespace.h>
>> +
>> +/*
>> + * Disable pause/flow control on a single Ethernet device.
>> + */
>> +static void disable_pause_on_device(struct net_device *dev)
>> +{
>> + const struct ethtool_ops *ops;
>> +
>> + /* Only proceed if this device has the flag enabled */
>> + if (!READ_ONCE(dev->disable_pause_on_panic))
>> + return;
>> +
>> + ops = dev->ethtool_ops;
>> + if (!ops || !ops->set_pauseparam_panic)
>> + return;
>> +
>> + /*
>> + * In panic context, we're in atomic context and cannot sleep.
>> + */
>> + ops->set_pauseparam_panic(dev);
>> +}
>> +
>> +/*
>> + * Panic notifier to disable pause frames on all Ethernet devices.
>> + * Called in atomic context during kernel panic.
>> + */
>> +static int eth_pause_panic_handler(struct notifier_block *this,
>> + unsigned long event, void *ptr)
>> +{
>> + struct net_device *dev;
>> +
>> + /*
>> + * Iterate over all network devices in the init namespace.
>> + * In panic context, we cannot acquire locks that might sleep,
>> + * so we use RCU iteration.
>> + * Each device will check its own disable_pause_on_panic flag.
>> + */
>> + rcu_read_lock();
>> + for_each_netdev_rcu(&init_net, dev) {
>> + /* Reference count might not be available in panic */
>> + if (!dev)
>> + continue;
>
> This seems unnecessary unless while() + next_net_device_rcu()
> is used instead of for_each_netdev_rcu().
>
> Or are we assuming that something could overwrite NULL to
> dev->dev_list.next and panic ?
In panic context not much can happen by this point, so I presume we can
just walk the list of network devices in the init space with no specific
locking or protection of any sort.
Thanks for your review!
--
Florian
Powered by blists - more mailing lists